- This topic is empty.
December 1, 2009 at 1:55 am #42071Thomas_PowersMember
Here’s what we’re doing this time.
We will have 2 ZS boxes, call them ZS1 and ZS2, each with ETH00 as internal (lan) side and eth01 as the outside.
ZS1 will have a VPN to ZS2 for lan to lan connectivity. That’s easy, and we have that running.
The catch is on ZS2. It will be replacing a firewall with 2 outside IP addresses. One of the address will be for the VPN to connect to. The other address on the ouside of ZS2 will be used to take smtp, HTTPS, and 3389 traffic to forward into an internal server. We would like people to be able to NAT out to the internet and use the 2nd address on this device.
The firewall in ZS is complete greek to a Windows junkie and a self expressed Linux Noob. (No offense to the actual greek members in the forum…love the gyros!)
So…how does one configure the static entries on the outside addresses to react differently?
To be more exact…let’s say that the outside addresses of ZS2 will be 18.104.22.168 and 22.214.171.124 We’ll have the VPN from ZS1 to connect to 126.96.36.199 and we would like inbound SMTP, inbound https, inbound 3389 to respond on the 188.8.131.52 address and be forwarded to an internal lan ip of lets say 192.168.1.250. Plus…how does one direct internal traffic from users to go out (NAT) and use the 184.108.40.206 address?
Here’s the interesting part….how does one prevent the 220.127.116.11 address HTTPS from interfering with the remote https administration that I would like to have respond on 18.104.22.168
That about sums it up.
Thanks for everyone’s help
Tom PDecember 1, 2009 at 1:26 pm #49187ppaliasMember
It is not that hard. If you have static IPs on the 2 ZS it is more easy. On the 22.214.171.124 interface of ZS2 add only one static route for the ZS1 WAN interface. On the 126.96.36.199 interface assign the default gateway. On the virtual servers section add the ports to be forwarded on the 188.8.131.52 only! NAT only on the 184.108.40.206 interface, the other one works with the tunnel. Regarding the http administration you may block the interfaces that you don’t want to listen to. There is the https menu on the administration page.
- You must be logged in to reply to this topic.